Aaron, There's a group of folks from M3AAWG that are working toward a sort of mechanism for SMTP, roughly using some ideas relating to HSTS and/or certificate transparency. The idea being that you would specify a published policy where a sender can see that you expect that sessions will be encrypted, and report TLS failures to the receiving system (without TLS).
-- Alex Brotman Engineer, Anti-Abuse Comcast x5364 -----Original Message----- From: Uta [mailto:[email protected]] On Behalf Of Aaron Zauner Sent: Thursday, December 03, 2015 12:51 PM To: [email protected] Subject: Re: [Uta] Dealing with STARTTLS Stripping *Caught* Just dusted this of during a discussion. I wanted to point out: http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf Due to be a full Talk at 32c3 as well. I don't care what we do - but we should at least discuss this properly. I haven't seen a sound proposal that would mitigate active attacks yet and really dislike anything DNSSEC based (YMMV, some people do also believe in IPv6 security). Aaron _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
